By default, in explicit proxy-chain setup, FortiProxy as child-proxy will perform DNS lookup for the intercepted client HTTP requests. Server URLs can be configured so that certain URLs (url-list) or all URLs (wildcard) bypass the DNS lookup in child-proxy.
The following example creates a URL list 'url-test-1', which will be used to bypass URLs 'example.com', 'red.com', and '*.fortinet.com' from DNS lookup in child-proxy. The URL list will be applied in the server URL setting.
config web-proxy url-list edit "url-test-1" config entries edit 1 set url "example.com" next edit 2 set url "red.com" next edit 3 set url "*.fortinet.com" set type wildcard next end next end
config web-proxy url-match edit "SURL-01-URL-List" set type list <-- set url-list "url-test-1" <-- set forward-server "Parent-Proxy-FPX" next end
WAD debug output shows that the DNS lookup does not occur when the user browses 'example.com', which matches the URL list:
dia wad debug enable category http dia wad debug enable category policy dia wad debug enable category dns dia wad debug enable level verbose dia wad filter src <computer_IP@> dia de console time enable dia de enable
[I]2023-12-03 20:49:03.550655 wad_dump_http_request :2736 hreq=0x7f99448fda80 Received request from client: 10.100.4.131:64127
GET http://example.com/ HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
....
....
[V]2023-12-03 20:49:03.550690 wad_http_req_exec_act :13435 dst_addr_type=0 wc_nontp=1 sec_web=1 web_cache=0 req_bypass=0 [V]2023-12-03 20:49:03.550754 wad_url_match_find :167 order=1 hits=1 cache-x=0: 'SURL-01-URL-List' -> 'Parent-Proxy-FPX' <<== [I]2023-12-03 20:49:03.551008 wad_http_req_policy_set :10268 match policy-id=2 <<====
The WAD debug log below shows DNS lookup occurs when the user tries to browse to 'bbc.com', which is not in the URL list.
Note:
If there is only one explicit proxy policy and the policy has web-forwarding enabled, user traffic is denied if the website is not in the URL list.
Example:
[I]2023-12-03 20:49:17.823592 wad_dump_http_request :2736 hreq=0x7f99448fd0b0 Received request from client: 10.100.4.131:64127
GET http://bbc.com/ HTTP/1.1 Host: bbc.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
.....
.....
[V]2023-12-03 20:49:17.823627 wad_http_req_exec_act :13435 dst_addr_type=0 wc_nontp=1 sec_web=1 web_cache=0 req_bypass=0 [V]2023-12-03 20:49:17.823635 wad_http_req_check_dns :75 hn=0x7f99446135e8 sn=(nil) [I]2023-12-03 20:49:17.823639 wad_http_dns_resolve :7749 [0x7f99448fd0b0] DNS request name=bbc.com len=7 type/pref=0/0 [I]2023-12-03 20:49:17.911017 wad_http_dns_request_done :12390 [0x7f99448fd0b0] DNS resolved: 151.101.0.81 [V]2023-12-03 20:49:17.911112 wad_http_req_check_policy :11934 start match policy vd=0(ses_ctx:cx|Phx|Mde|Hhf|C|A7|Og) (10.110.1.46:44152@4->151.101.0.81:80@3) absUrl=1 [W]2023-12-03 20:49:17.911127 wad_fast_match_one :3686 No policy matched! <<===== [I]2023-12-03 20:49:17.911134 wad_http_req_policy_set :10268 match policy-id=0 [E]2023-12-03 20:49:17.911538 wad_http_req_proc_policy :9943 POLICY DENIED <<=====
If it is wanted that all the URLs bypass DNS lookup in the child proxy, then configure the Server URL with wildcard type:
config web-proxy url-match edit "SURL-02-Wildcard" set type wildcard <-- set url-pattern "*" <-- set forward-server "Parent-Proxy-FPX" next end
The following debug log shows both 'example.com' and 'bbc.com' are forwarded to the parent proxy without DNS lookup:
[I]2023-12-03 21:20:58.220010 wad_dump_http_request :2736 hreq=0x7fb74abf1ab8 Received request from client: 10.100.4.131:64282
GET http://example.com/ HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 ..... .....
[V]2023-12-03 21:20:58.220022 wad_http_marker_uri :1305 scheme=http [V]2023-12-03 21:20:58.220028 wad_http_marker_uri :1262 path=/ len=1 [I]2023-12-03 21:20:58.220074 wad_http_str_canonicalize :2188 enc=0 path=/ len=1 changes=0 [V]2023-12-03 21:20:58.220084 wad_http_normalize_uri :2335 host_len=11 path_len=1 query_len=0 [V]2023-12-03 21:20:58.220105 wad_http_req_exec_act :13435 dst_addr_type=0 wc_nontp=1 sec_web=1 web_c ache=0 req_bypass=0 [V]2023-12-03 21:20:58.220186 wad_url_match_find :167 order=1 hits=18 cache-x=0: 'SURL-02-Wildcard' -> 'Parent-Proxy-FPX' .... .... [I]2023-12-03 21:20:58.220511 wad_http_req_policy_set :10268 match policy-id=2(pol_ctx:xhf|Ad|7|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.100.4.131:64282@4 -> 10.110.3.140:80@6)
[I]2023-12-03 21:21:01.290563 wad_dump_http_request :2736 hreq=0x7fb74abf2970 Received request from client: 10.100.4.131:64285 CONNECT bbc.com:443 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 ..... .....
[I]2023-12-03 21:21:01.290575 wad_http_str_canonicalize :2188 enc=0 path=/ len=1 changes=0 [I]2023-12-03 21:21:01.290586 wad_http_conn_req_classify :6031 no security profile HTTPS/HTTP, tport=443 [V]2023-12-03 21:21:01.290595 wad_url_match_find :167 order=1 hits=21 cache-x=0: 'SURL-02-Wildcard' -> 'Parent-Proxy-FPX' ..... ..... [I]2023-12-03 21:21:01.290627 wad_http_req_policy_set :10268 match policy-id=2(pol_ctx:xhcf|Ad|7?|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.100.4.131:64285@4 -> 10.110.3.140:443@6) [I]2023-12-03 21:21:01.290641 wad_http_req_proc_policy :9923 ses_ctx:x|Phx|Mde|Hhf|C|A7|O conn_srv=0 fwd_srv=Parent-Proxy-FPX
|